I track people who are disrupting the world of mobile technology. Non-conformists, innovators and agitators are this blog's unsung heroes, from entrepreneurs to scientists, to rebellious hackers. I'm the author of "We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous and the Global Cyber Insurgency", (Little Brown, 2012) which The New York Times called a "lively, startling book that reads as 'The Social Network' for group hackers." I recently relocated to Forbes' San Francisco office, and was previously Forbes' London bureau chief from 2008-12, interviewing British billionaires like Philip Green and controversial figures like Mohammed Al Fayed; I wrote last year's billionaires cover story on Russia's Yuri Milner, and have broken stories like the Facebook-Spotify partnership in 2011. Before all this I had stints at the BBC and as a radio journalist. You can watch me on 'The Daily Show' here. If you have a story idea or tip, e-mail me at polson@forbes.com or follow me on Twitter: parmy.

Is This The Girl That Hacked HBGary?

UPDATE: The story of “Kayla” is profiled extensively in my book, We Are Anonymous, out June 5, 2012 and shipping from Amazon now. It is the first definitive book to chart the rise of Anonymous and tell the inside story of its splinter group LulzSec, as well as the deeper mystery and online mythology surrounding Kayla. LulzSec was founded by Kayla’s online friends Hector “Sabu” Monsegur and Jake “Topiary” Davis. All three have now been arrested and charged by British and American authorities. In March 2012, police charged Ryan Ackroyd, a 26-year-old, former British soldier, with online offences committed under the nickname Kayla. He is scheduled to plead in court on June 25, 2012. More on the court case here.

——–

Next time you see a flock of teenage girls in the mall, there’s a small chance that one of them might be Kayla. As your average 16-year-old, she regularly hangs out with friends, works part time at a salon and hopes one day to be a teacher. At least is, that’s what Kayla wants you to think.

The hacker flits around the web with so covert an identity that I cannot fully verify her age or gender. (For clarity’s sake, I refer to Kayla throughout this article as “she.”) Behind the scenes she supports Anonymous, the loosely knit global hacking movement that brought down the Web sites of MasterCard and PayPal in defence of WikiLeaks.

The person known on chat forums as ‘k, and who spoke to me by e-mail as “Kayla,” is no figment of the Internet’s imagination: she helped all but destroy a company. When Aaron Barr, the now-former CEO of software security firm HBGary Federal, claimed in a press report that he could identify members of the Anonymous collective through social media, she and four other hackers broke into his company’s servers in revenge, defacing his Web site, purging data and posting more than 50,000 of his emails online for the world to see, all within the space of 24 hours.

Kayla claims to have played a key role, at one point posing as HBGary CEO Greg Hoglund to an IT administrator to social engineer access to his website rootkit.com. Read their email correspondence here and here. In the fallout, Barr’s emails revealed HBGary had proposed a dirty tricks campaign against WikiLeaks to a law firm representing Bank of America. Other security firms distanced themselves. Kayla and her buddies had opened a can of worms.

Today while HBGary picks up the pieces, Kayla still spends a few hours a night on Anonymous chat channels looking for her next target. Most recently it was the Libyan government, helping get information to Libyan citizens in the Internet blackout.

With just half a dozen close friends online, she has a strict regimen to remain invisible on the web. Each night, Kayla says she wipes every one of her web accounts and deletes every email in her inbox. She has no physical hard drive and boots her computer from a microSD card. “I could hide this card anywhere or chew into a million pieces in a few seconds,” she says by e-mail. She keeps her operating system on a USB stick and uses a virtual machine (VM) to carry out her online shenanigans.

So paranoid is Kayla of being caught or hacked by others, that despite several requests she would not speak to me on Skype to verify an adolescent-sounding voice. Our only evidence: others in Anonymous vouch for her age, her emails are punctuated with smiley faces and “lols” and she is relatively well-known on hacking forums. Still, rumors abound that Kayla is a mid-20s male from New Jersey named Corey Barnhill, who also goes by the pseudonym Xyrix.

When I put this to Kayla she countered that in 2008 (aged 14) she and a few other users of an early Anonymous IRC network called partyvan, hacked the account of fellow user Xyrix in defence of an online friend. Kayla used Xyrix’s (Corey’s) account to social engineer an IRC operator and got her target’s personal information. The operator thought Xyrix was Kayla, added her to Xyrix’s Encyclopedia Dramatica page, and the rest is history.

How did this mystery “girl” become a hacker? Kayla says that’s down to her dad, a software engineer who won custody over her after a divorce that deemed him the “more stable parent.” They moved to the countryside where others her age were few and far between. The house was meanwhile littered with programming books on Linux kernel, Intel manuals and networking. “I just started reading them,” she says. By the time Kayla was 14 she could fully program C and x86 assembly.

“My dad encouraged it at first,” she says. “He thought it was awesome I was so in to what he did.” Dad allegedly showed her how to find bugs in C source code and exploit them. It was all harmless and Kayla had only been using the Internet to talk to friends on MSN. But she began looking into hacking, and learned scripting languages like Perl, Python and PHP, figuring out how to use databases like MySQL and how to attack them using SQL injection.

She registered at a few online hacking forums but was snubbed because of her age–apparent because in the early days she gave her personal details when registering. “Fair enough I was only 14 but it made me so angry,” Kayla says. She took revenge by hacking into the forums themselves and disrupting things, impressing some of the users–though things got weird when one or two developed crushes. (Though there’s a strong possibility that Kayla’s true identity is hidden behind an elaborate lie, it’s not at all surprising that other hackers would develop a crush on the Kayla persona. “There are no girls in the Internet,” as the saying goes; hence even the suggestion of their existence can make an impression.)

Then an older male user that she hacked into hit back by digging up her e-mail address and phone number from old MSN information that was still on the web. He called her house and threatened to contact the police. Upon realizing how he’d got her details–it was “like a slap in the face”–Kayla did everything she could to scrub the web clean of her identity.

Post Your Comment

Post Your Reply

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.

Comments

Did you do any fact-checking at all? This alleged “Kayla” personality didn’t pose as Aaron Barr, “she” posed as Greg Hoglund, which you can easily see from reading the e-mails that you have hyperlinked.

It’s really difficult to assign credibility to anything you say after an obvious mistake like that.

Corey is feeding you a story, dear Parmy. Either that, or you’re helping them play cover up. All of anons inner circle know “Kayla” is a guy.

There is not, and never has been, any female wunderkind in anon. It’s propaganda. You’ll really like seeing the logs where they discuss “owning” you, I think. You’re charmed, just as they planned to charm you.

The best sociopaths stick the knife in while the victim is still smiling.

The big red flag for me in this article is the sentence that begins “Spokespeople for Anonymous…” There are no “Spokespeople” because there is no official organization. There are many people who post on 4chan who are Anonymous, but that doesn’t mean that every one of them has been part of or even endorses every Anonymous action.

The article mentions the DDOS on Scientology, which led to a large group worldwide that has come out and protested (often in person) the abuses in the Scientology organization. But that doesn’t mean that everyone calling themselves Anonymous is part of the protests and it doesn’t mean that anyone who is part of those protests has taken part in anything else. Although they may have and you would never know. You know why? Because they are ANONYMOUS! That’s the whole point. So, whether Kayla is a 16 year old girl or a 20 something man doesn’t matter. What’s most interesting is that a group of people with lots of time and the will to make a point can make it. And although sometimes it’s just for the lulz, more often lately, it’s been to unmask hubris, take a stand for human rights and freedom of expression, and help the little guy.

I’m pretty sure that this ‘girl’ just trolled. Anyway – whats so amazing about a 16-year old ‘girl’ doing something like this. There are kids (mostly boy – for a reason) that are much younger, that can do more than just pose, harvest info, perform sql injection, find exploits, etc.

I can’t believe that a Forbes Article linked to Encyclopedia Dramatica. ED is NEVER appropriate (but always hilarious) and should only be linked to, even for a topic as plain as “LULZ”, if it has a warning (usually “ED”) associated with it. Seriously, link to [http://knowyourmeme.com/memes/i-did-it-for-the-lulz] or something else, but not ED.

Otherwise, great piece, I just hope she doesn’t get caught because of it.

Also, you linked to /b/ – another not great idea. Currently on the board is a topless girl, a guy in a chastity belt and a dude and a tranny getting it on. I mean seriously, is linking to wikipedia so hard?[http://en.wikipedia.org/wiki/4chan#.2Fb.2F]

I, personally don’t care because I’ve seen all of these sites before, but what happens when someone who hasn’t reads your piece and goes to the site. However, if your trying to do the aforementioned (by linking to /b/) for the lulz then respect.

Hi, parmygotplayed–great name, by the way–actually I’ve been in touch with Corey, who attests to being an entirely different person to Kayla. Although such is the nature of Anonymous, as I think I’ve made clear in this story, that you can never really be sure of anyone’s true identity.

Also you seem to miss the info that it was Aaron Barr who was an administrator for HBGary systems, in top of being CEO for Federal, and person you refer to only for rootkit.com. This can be seen on the Arstechnica article which tells the details, and e-mails you hyperlinked which talk only about that site.

I take your point, but the way I see it, Anonymous is a large, fluid, global collective / movement, with a few individuals who are consistently putting in time and labor to spearhead various hacking operations. From what I understand Kayla is among that minority.

The issue of spokespeople is a gray area. Barrett Brown and Gregg Housh, who speak to the media about Anonymous, are uncomfortable about being referred to as spokesmen because it contradicts how they define Anonymous. Fair enough. But they are, at the very least, representing the views of people who support Anonymous.

I’m dubious though. Many of the most brilliant coders lack social skills – and I’ve see a similar correlation with hackers and social engineering. Sixteen year old girls are typically anything but antisocial, but they usually don’t spend hours learning what is a very comprehensive and impressive list of technical computer knowledge either. Its an unlikely situation. Especially considering that pretending to be a teenage girl with daddy issues is a common tactic used by social engineers / hackers to manipulate gullible (typically male) IT professionals.

Its doubtful we will ever find out the truth. Weather these claims are exaggerated or fabricated or true – its still a great story.

Right, Parmy. The guy pretending to be a sixteen year old who hacked himself would never get on the phone and fib to you about to cover his own ass vis a vis the felonies he’s committed. Must be a real sixteen year old girl.

The pastie leaked in this thread- thyat was him trollololing about it. They also discuss it in the #hq logs.

I am the irc op that was “socially engineered” by xyrix/Kayla, though it was far from anything I would call social engineering. This so called friend of kayla’s was a pathological liar and a odd individual. There was no hacking or social engineering of my personal information and the only information this Kayla obtained was from googling my nickname. Now, it was not that I had an inkling or side thought about Kayla being xyrix, since I had no idea who xyrix was at this time, but in order to further gloat over finding old blogs of mine, I was sent a request on msn messenger for a xyrix email address while Kayla tried to be snarky on irc. Putting one and one together and taking into consideration that on the internet you can be anyone, is it a big stretch that a 20something man would pretend to be a teenage girl? Using smilies and Lols on emails is nothing, anyone decent at trying to pretend to be someone else would have known to do that ( and it’s a an easy trick for pedo fishing as well). A Lulzsec expose of sorts was released on paste bin, further linking xyrix to Kayla. To this day, I do not believe that this Kayla exists. http://pastebin.com/raw.php?i=iVujX4TR

Yes, it sucks to be hacked and have your personal info spread around…. but besides all of that, “Miss Kayla Anonymous” seems pretty damn brilliant and could probably become very successful with her skills!!! Just stating the obvious facts.

I think the “girl” is a sham. It sounds like a persona. The biggest clue was the fact that her father knows about this but thinks it’s “hillarious”. That sounds like a comment from a 21-22 year old spouting their opinion.

I can’t think of too many parents, especially ones in the IT field, that would look at possible imprisonment for their teenage child with such indifference. Especially one that won a custody battle. Just doesn’t add up.